β‘ TL;DR
Mobile apps arenβt just extensions of your backend β theyβre attack surfaces.
This guide breaks down real-world exploits and one-line fixes for Expo (React Native) and Flutter, mapped to OWASP, NIST, and GDPR standards.
No fluff. Just production-ready defenses.
π― Why This Guide Exists
Most developers harden their backend β but 78% of mobile breaches start on the device, not the API.
Hereβs what youβre up against π
π MITM attacks: Certificate pinning bypass
𧩠Reverse engineering: Hardcoded secrets extraction
π£ Deep link hijacking: Session takeovers via malicious apps
πΎ Insecure storage: Secrets stored in plain text
ποΈ Biometric spoofing: Replay & fake-face attacks
πΉ Screen capture: Credential leaks via malware
βοΈ 1. Secure Storage & Key Management
𧨠The Attack: Hackers dump your hardcoded API keys from app bundles.
π οΈ The Fix: Use iOS Keychain / Android Keystore + biometrics.
Never store secrets in AsyncStorage or SharedPrefs.
β
Expo Fix
await SecureStore.setItemAsync('api_key', apiKey, {
requireAuthentication: true,
keychainAccessible: SecureStore.WHEN_UNLOCKED_THIS_DEVICE_ONLY
});
// β
Flutter Fix
await storage.write(
key: 'apikey',
value: apiKey,
iOptions: IOSOptions(accessibility: IOSAccessibility.when_passcode_set_this_device_only)
);
π§ Pro Tip: Always encrypt fallbacks with user-derived (biometric) keys.
π 2. Network Security & SSL Pinning
β οΈ The Attack: MITM tools install fake CA certs to intercept API traffic.
π οΈ The Fix: Implement SSL pinning with backup certs + token wipe on failure.
β
Expo (expo-ssl-pinning)
await NetworkingModule.fetch(url, {
sslPinning: { certificateFilenames: ['AA:BB:CC...', 'BB:CC:DD...'] }
});
// β
Flutter (Dio Interceptor)
_dio.interceptors.add(
CertificatePinningInterceptor(
allowedSHAFingerprints: ['AA:BB:CC...', 'BB:CC:DD...']
)
);
π‘οΈ If pinning fails β Lockdown mode + force reauth.
π 3. Deep Link & Intent Validation
π¨ The Attack: Malicious apps trigger deep links to auto-transfer funds.
π οΈ The Fix: Always validate parameters and require confirmation (user or biometric).
// β
Expo Fix
if (path === '/transfer') {
const confirmed = await showTransferConfirmation(params.to, params.amount);
if (confirmed) executeSecureTransfer();
}𧩠Bonus: Regex-validate all params, rate-limit actions, and log every deep link event.
ποΈ 4. Biometric Authentication Hardening
β οΈ The Attack: Replay or spoofed biometric data bypasses authentication.
π οΈ The Fix:
Use hardware-backed biometrics only (Secure Enclave / StrongBox)
Lock out after 3 failed attempts
Detect jailbreak/root before allowing sensitive ops
πΈ 5. Screen & Screenshot Protection
π΅οΈ The Attack: Malware silently records your app screen.
π οΈ The Fix: Block screenshots, prevent overlays, and clear sensitive fields.
await ScreenCapture.preventScreenCaptureAsync();
ScreenCapture.addScreenshotListener(() =>
handleSecurityViolation('screenshot_attempted')
);
π 6. API Tokens & Lifecycle
π£ The Attack: Long-lived tokens = long-lived breaches.
π οΈ The Fix:
Set access tokens β€15 minutes
Rotate refresh tokens
Sign every request cryptographically
const expiresAt = Date.now() + 900000; // 15 mins
await SecureStore.setItemAsync('access_token', token);
setTimeout(() => refreshTokens(), 600000);
π 7. Clipboard Hijacking Defense
β οΈ The Attack: Malware scrapes copied 2FA codes, passwords, and wallet keys.
π οΈ The Fix: Clipboard reads must be user-initiated and auto-cleared.
// β
Expo Fix
<Button title="Paste" onPress={handlePaste} />
await Clipboard.setStringAsync(''); // Clear clipboard after use
βΏ 8. Accessibility / VoiceOver Exploits
π The Attack: Accessibility services read your UI and auto-click buttons.
π οΈ The Fix: Detect active accessibility services β require biometric reauth.
if (accessibilityActive) _requireBiometricReAuth();
π‘ 9. Side-Channel Defenses (Wi-Fi/BLE Timing)
Add random delays, decoy requests, and constant-time validation to block side-channel inference.
await new Promise(res => setTimeout(res, Math.random() * 1000 + 500));
𧩠10. Dependency & Supply Chain Security
π£ The Attack: Typosquatting or malicious package injection.
π οΈ The Fix: Use lockfiles + private registries + CI/CD audits.
npm ci && npm audit --production
flutter pub deps | grep -i "unknown"
π§ Bonus: Runtime App Self-Protection (RASP)
𧩠The Attack: Memory hooking, tampering, or code injection at runtime.
π οΈ The Fix: Monitor app integrity + auto-lockdown on tampering.
if (threat.severity === 'CRITICAL') enterLockdownMode();
π Mobile Security Checklist
β
Secure Storage
β
SSL Pinning
β
Deep Link Validation
β
Biometric Integrity
β
Token Rotation
β
Clipboard Shield
β
Accessibility Defense
β
Side-Channel Padding
β
Supply Chain Audit
β
Runtime Protection
π§ Final Takeaway
βMobile security isnβt a feature β itβs a lifecycle.β
Assume breach. Layer defenses. Automate audits.
Your users trust you with their fingerprints and funds β protect them like your backend depends on it.
Check Video Overview : https://youtu.be/JTsv78qA9Lc?si=che1py2wMhSI1699
#MobileFirstSecurity #AppSec #OWASP #Expo #Flutter #SecureByDesign
Sent with π by Mohammad Abir Abbas
